How can one enforce authorization/authentication for micro service apps? And also, how to achieve SSO (single sign-on) from an end user's perspective?
E.g: Assume a shopping site which has many micro ...

Most sites, when you register via e.g. Facebook, redirect you to a page afterwards asking you to enter additional information that the site needs. Very often this includes setting a password for the ...

We are currently in the process of implementing SSO for one of our enterprise client in our mobile application. To make it more user friendly we were considering the idea of adding a new endpoint to ...

In most scenarios a person identifies who they are (authentication/AuthN) via something like a username and password. Afterwards a system would likely evaluate what that validated identity can perform ...

At work we use a central portal that provides basic SSO functionality to other applications. In addition to verifying the SSO data sent, all of our existing in-house applications (used by the public) ...

Identity Providers (IdP) often provide a metadata file that is used when setting up SAML. This file needs to be entered into a Service Provider (SP). Do we need to keep this metadata file private and ...

I am fiddling about with a sort of single sign on procedure.
Let's say there is site1 and site2 and both use an SSL certificate.
Users are signed in on site1.
I was wondering what the experts think ...

I wrote a simple system with SP-initiating Web SSO scenario based on OIOSAML. To test the system, I deployed it on the remote host. However AssertionConsumerServiceURL, where I specified URL, on which ...

I am new to SAML2 and have a question. We have a customer that is saying that they want to encrypt the user data they are sending to us. Here is an overview of how I have this implemented today:
User ...

Given two companies managing two separate websites, the client wants the user to be able to log in to one website, and then click a link to navigate to a certain part of the second website. The client ...

I now have two websites - site A and B, both with SSL-certificate, and they have exact same users. So when a user log into site A and click the link to site B, I want to make him auto log in to site ...

Let's say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and ...

Summary
evil.example.com could use a hidden frame to request a CAS ticket from corporation.example.net, then validate it to receive the username of the hapless user. This effectively deanonymizes the ...

This is in reference to Jasig's CAS software and I'm looking for a checklist to audit the state of security of a CAS implementation. While the Jasig site has a lot of documentation and their mailing ...

CAS and its alternatives all seem to require a flow like this when one service is acting as a proxy for a user when accessing a back-end service:
Service A makes a request to Service B on behalf of a ...

I need to outsource authentication to an IdP (Identity Provider) but I don't want that IdP to know of the calling site. The two major issues are the callback URL and the referer header.
Is there any ...

We're working on an SSO implementation that would be used accross domains. I realize there are proven working models out there like CAS for this but I'm toying with a different approach and I want to ...

What level of access would an attacker need to obtain to compromise a SAML-based SSO system?
Would stealing the private key used to sign SAML requests be enough? What if an attacker had root on the ...

I have a few web applications that I'm trying to tie in via CAS, but I'm a little confused about the authorization, which I read CAS isn't supposed to do. Yet, I see something like groups, but don't ...